Blogger: Time Warner Routers Still Hackable Despite Company Assurance

Share

Blogger: Time Warner Routers Still Hackable Despite Company Assurance

A blogger who stumbled across a vulnerability in more than 65,000 Time Warner Cable customer routers says the routers are still vulnerable to remote attack, despite claims by the company last week that it patched the routers.

Last Tuesday, David Chen, an internet startup-founder, published information about the vulnerability in Time Warner’s SMC8014 series cable modem/Wi-Fi router combo, made by SMC. The problem would allow a hacker to remotely access the device’s administrative menu over the internet and potentially change the settings to intercept traffic, making possible all sorts of nefarious activity.

Time Warner acknowledged the problem to Threat Level that day, and said it was testing replacement firmware code from the router manufacturer, which it planned to push out to customers soon. Shortly after Threat Level published a piece about the vulnerability, a Time Warner spokesman Tweeted to Chen that the patch had been deployed and customer routers were now protected.

"Thanks for your post," wrote spokesman Jeff Simmermon to Chen. "We've got a temporary patch in place now while we work on a permanent solution — you should be safe."

But according to Chen, the routers have not been fixed. Writing Monday at his blog, chenosaurus.com, Chen said he ran a scan over the weekend and found 500 routers still vulnerable to attack and that he had not found "a single bit of evidence that supports their claims of a 'temporary patch.'"

An assistant for Time Warner spokesman Alex Dudley told Threat Level that all of the company's press representatives are at a conference in Colorado this week and are unavailable for comment. SMC did not respond to a request for comment prior to publication.

Chen said it's possible that Time Warner is rolling out the patch in stages and that the vulnerable routers he encountered in his latest scan have not yet been patched, but he finds this doubtful.

"I'm sure they have an automated system to deploy these things, and it shouldn't take them more than a week to push out a critical fix," he said.

The routers are given to Time Warner customers with baked-in default configurations. Customers can change the configuration through the router's built-in web server, but the web page limits them to adding a list of URLs they want their router to block.

But Chen, founder of a software startup called Pip.io, discovered last week that he could easily get to an administrative page that would allow him greater control of the router.

He found that Time Warner had hidden administrative functions from its customers with Javascript code. By simply disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router’s configuration file.

Inside that file was the administrative login and password in cleartext. The same login and password could access the admin panels for every router in the SMC8014 series on Time Warner’s network. Given that the routers expose their administrative interfaces to the public-facing internet, some 65,000 routers could all be easily modified by anyone with this one username and password.

A hacker could alter the router’s DNS settings — for example, to redirect the customer’s browser to malicious websites — or change the Wi-Fi settings to open the user's home network to the neighbors.

Adding to the snafu, Chen also found during additional scans of the routers this weekend, that the routers leave a telnet port open by default.

A simple change to the configuration of each router would block access to the router from outsiders on the internet. Chen also said internet service providers should block traffic to ports 8080, 8181 and 23 (ports that are open on the router by default) until SMC and Time Warner have deployed a permanent fix to the vulnerable routers. And the router vendor should configure the routers to use WPA2 instead of WEP for Wi-Fi encryption, since the latter has long been shown to be vulnerable to hacking in minutes.

Better yet, Time Warner should just start over.

"Of course the best idea would be to immediately recall those routers and issue your customers real cable modems and decent wifi routers with good security," Chen wrote on his post.

UPDATE @ 4:31 PST: An SMC spokesman responded with new details about the patch. Spokesman Greg Fisher said he doesn't know if Time Warner distributed the patch to every router yet, but he said the patch was designed to fix the Javascript issue by getting rid of the cascading style sheets so that the administrator's configuration page is completely separate from the customer's page.

Routers that are updated with the patch will now only show the customer configuration page to customers who log in with generic user credentials. This means a customer will not have access to the tool Chen used to download the configuration file exposing the administrative username and password in cleartext.

This doesn't fix the problem entirely, however. Chen says that if an attacker already has the administrative username and password – as Chen does – he can still access the admin panel to reconfigure a router.

Time Warner Cable told Threat Level last week that it planned to change the administrative user name and password that Chen exposed. But Chen says the credentials are still the same on every router he's examined.

SMC spokesman Fisher told Threat Level that the admin credentials Chen exposed are actually the administrative credentials for a router made by Ambit. He said it appears that Time Warner applied the same credentials to its customers' SMC routers.